multi-factor authentication

Multi-factor authentication (MFA) is an access control method that requires a user to present two or more independent verification factors to prove their identity before gaining access to a system, network, or application. It is commonly used for remote access, administrative accounts, cloud services, and critical OT and IT systems in industrial and regulated environments.

What counts as a factor

MFA typically combines factors from at least two of these categories:

• Something you know: a password, PIN, or passphrase
• Something you have: a hardware token, smart card, badge, phone-based authenticator app, or one-time password (OTP) generator
• Something you are: a biometric such as fingerprint, facial recognition, or iris scan

Using two passwords or a password plus a security question is usually not considered multi-factor authentication, because both are in the same category (“something you know”).

How MFA appears in industrial and OT environments

In manufacturing and other industrial settings, MFA commonly refers to:

• MFA on remote access solutions such as VPNs, jump hosts, and remote desktop gateways used to reach OT networks and plant systems
• MFA for privileged IT and OT accounts, such as domain admins, SCADA engineers, MES administrators, and database administrators
• MFA on cloud-based MES, quality, CMMS, or document control portals accessed from the plant or supplier sites
• MFA on remote support connections used by vendors to service PLCs, HMIs, or other control equipment

In brownfield plants with legacy equipment, MFA is often implemented at the access gateway (for example, a jump server or secure remote access portal) rather than directly on each legacy OT system that cannot support modern authentication methods.

What MFA includes and excludes

MFA includes:

• Two-step verification where steps use different factor types, such as password plus a hardware token
• Authentication apps generating time-based one-time passwords (TOTP), push confirmations, or FIDO2/WebAuthn security keys
• Smart cards or badges combined with a PIN to access workstations or control room terminals

MFA does not include:

• Only a username and password, even if the password is complex
• Security questions or knowledge-based challenges added to a password, when both are “something you know”
• Single sign-on (SSO) on its own, unless SSO itself is protected by multiple factors

Operational considerations

When used in regulated or safety-critical operations, MFA may be addressed in access control procedures, cybersecurity policies, and change management. Typical operational concerns include:

• Where to enforce MFA (for example, at VPN, at jump host, or at each application)
• Handling of shared workstations on the shop floor, terminals in cleanrooms, or kiosks in hazardous areas
• Provisioning and deprovisioning tokens or authenticator methods for employees, contractors, and vendors
• Contingency access if authenticators are lost, unavailable, or fail

Common confusion

• MFA vs. 2FA: Two-factor authentication (2FA) is a specific case of MFA that uses exactly two factors. MFA is a broader term that covers two or more factors.
• MFA vs. strong passwords: Strong or complex passwords alone do not constitute MFA. MFA always requires at least one additional, independent factor.
• MFA vs. network controls: Network firewalls and segmentation restrict where a user can connect. MFA focuses on verifying who the user is before granting access.

Relation to jump hosts and firewalls

In legacy OT and manufacturing environments, MFA is often combined with firewalls, VPNs, and jump hosts to form layered remote access controls. MFA can be enforced at the point where users first enter the OT network or access critical systems, helping to reduce the risk of unauthorized use of remote access accounts, especially privileged accounts.